Project

General

Profile

Bug #605

No mail since 2017-10-15 07:00:02

Added by Pierre-Louis Bonicoli 11 months ago. Updated 4 months ago.

Status:
Rejected
Priority:
Normal
Category:
Service :: Mail
Start date:
2017-10-16
Due date:
% Done:

50%

Patch Available:
Confirmed:
Yes
Branch:
Entity:
DuckCorp
Security:
No
Help Needed:

Description

On orfeo, Oct 15 07:00:00 (UTC+2), policyd-weight daemon was unable to restart, then all incoming mail were rejected.

# systemctl status policyd-weight.service
● policyd-weight.service - LSB: Start and stop the policyd-weight daemon
   Loaded: loaded (/etc/init.d/policyd-weight; generated; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2017-10-15 07:00:02 CEST; 1 day 5h ago
     Docs: man:systemd-sysv-generator(8)
  Process: 28244 ExecStop=/etc/init.d/policyd-weight stop (code=exited, status=0/SUCCESS)
  Process: 28291 ExecStart=/etc/init.d/policyd-weight start (code=exited, status=1/FAILURE)
    Tasks: 0 (limit: 4915)
   Memory: 372.0K
      CPU: 389ms
   CGroup: /system.slice/policyd-weight.service
# grep "policyd-weight" /var/log/syslog.1 
Oct 15 07:00:00 orfeo systemd[1]: Stopping LSB: Start and stop the policyd-weight daemon...
Oct 15 07:00:02 orfeo policyd-weight[28244]: Stopping policyd-weight (incl. cache): policyd-weight.
Oct 15 07:00:02 orfeo systemd[1]: Stopped LSB: Start and stop the policyd-weight daemon.
Oct 15 07:00:02 orfeo systemd[1]: Starting LSB: Start and stop the policyd-weight daemon...
Oct 15 07:00:03 orfeo policyd-weight[28291]: Starting policyd-weight: policyd-weightmaster: bind 12525: IO::Socket::INET: Address already in use Address already in use at /usr/sbin/policyd-weight line 1052.
Oct 15 07:00:03 orfeo postfix/policyd-weight[28294]: warning: err: init: master: bind 12525: IO::Socket::INET: Address already in use Address already in use at /usr/sbin/policyd-weight line 1052.
Oct 15 07:00:03 orfeo policyd-weight[28291]:  failed!
Oct 15 07:00:04 orfeo systemd[1]: policyd-weight.service: Control process exited, code=exited status=1
Oct 15 07:00:04 orfeo systemd[1]: Failed to start LSB: Start and stop the policyd-weight daemon.
Oct 15 07:00:04 orfeo systemd[1]: policyd-weight.service: Unit entered failed state.
Oct 15 07:00:04 orfeo systemd[1]: policyd-weight.service: Failed with result 'exit-code'.
Oct 15 07:00:05 orfeo postfix/policyd-weight[16253]: cache killed
# /var/log/syslog.1 extract
Oct 15 07:00:39 orfeo postfix/smtpd[28403]: warning: connect to 127.0.0.1:12525: Connection refused
Oct 15 07:00:39 orfeo postfix/smtpd[28403]: warning: problem talking to server 127.0.0.1:12525: Connection refused
Oct 15 07:00:40 orfeo postfix/smtpd[28403]: warning: connect to 127.0.0.1:12525: Connection refused
Oct 15 07:00:40 orfeo postfix/smtpd[28403]: warning: problem talking to server 127.0.0.1:12525: Connection refused
Oct 15 07:00:40 orfeo postfix/smtpd[28403]: NOQUEUE: reject: RCPT from XXX: 451 4.3.5 <XXXX@milkypond.org>: Recipient address rejected: Server configuration problem; from=<XXX@outlook.com> to=<XXX@milkypond.org> proto=ESMTP helo=<XXX>

Thanks to rtp for pointing that.


Related issues

Related to DuckCorp Infrastructure - Bug #595: Create missing systemd configuration for SYSV compatibility services In Progress 2017-09-23

History

#1 Updated by Pierre-Louis Bonicoli 11 months ago

2017-10-16 12:13 CEST policyd-weight.service has been manually restarted.

policyd-weight.service is automatically generated by systemd-sysv-generator and use /etc/init.d/policyd-weight. /etc/init.d/policyd-weight stop calls start-stop-daemon without --retry, that's why /etc/init.d/policyd-weight start could be called while policyd-weight hasn't been stopped resulting in Address already in use.

Remedies:
  • setup policyd-weight.service without using /etc/init.d/policyd-weight
  • add restart=yes in policyd-weight.service

#2 Updated by Pierre-Louis Bonicoli 11 months ago

Duck: i propose to use the following unit, could you review it ?

[Unit]
Description=Perl policy daemon for the Postfix MTA
Before=postfix.service
After=syslog.target network.target remote-fs.target
Wants=network-online.target

[Service]
Type=forking
ExecStart=/usr/sbin/policyd-weight start
ExecReload=/usr/sbin/policyd-weight reload
ExecStop=/usr/sbin/policyd-weight -k
ExecStop=/usr/sbin/policyd-weight stop

EnvironmentFile=/etc/policyd-weight.conf
Restart=on-failure
PrivateTmp=true

StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=policyd-weight

ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
MemoryDenyWriteExecute=true
MountFlags=private
NoNewPrivileges=true
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target

#3 Updated by Pierre-Louis Bonicoli 11 months ago

  • % Done changed from 0 to 50

#4 Updated by Marc Dequènes 11 months ago

  • Related to Bug #595: Create missing systemd configuration for SYSV compatibility services added

#5 Updated by Marc Dequènes 11 months ago

I think EnvironmentFile should be /etc/default/policyd-weight and the start action should keep $DAEMON_OPTS to follow the package's behavior (so that we can then suggest it in a Debian BR).

Would it be possible to do a -k stop; the manpage does not seem to say it would be wrong, but I guess we would have to try to be sure.

As for the security restrictions, that's a very good idea because this daemon is not supposed to need anything else. So if it works well then GoGoGo.

The rest is fine :-).

#6 Updated by Pierre-Louis Bonicoli 11 months ago

Marc Dequènes wrote:

I think EnvironmentFile should be /etc/default/policyd-weight and the start action should keep $DAEMON_OPTS to follow the package's behavior (so that we can then suggest it in a Debian BR).

Indeed.

Would it be possible to do a -k stop; the manpage does not seem to say it would be wrong, but I guess we would have to try to be sure.

I guess.

As for the security restrictions, that's a very good idea because this daemon is not supposed to need anything else. So if it works well then GoGoGo.

Not sure if `User=polw` could be used, I need to check that.

#7 Updated by Pierre-Louis Bonicoli 11 months ago

  • Description updated (diff)

#8 Updated by Pierre-Louis Bonicoli 11 months ago

The same day, the same problem occurred on Toushirou: policyd-weight.service was unable to restart.

#9 Updated by Marc Dequènes 11 months ago

So, the problem is fixed temporarily as unattended upgrades would cause it to reappear sooner or later.

All such service files deployment must be done via Ansible.

We need to notify #595 when this is done.

Any news about the service file details?

#10 Updated by Marc Dequènes 4 months ago

  • Status changed from In Progress to Rejected

policyd-weight is not used anymore after switching to Rspamd (see #435)

Also available in: Atom PDF